How do I snoop unauthorised traffic

This is a discussion on How do I snoop unauthorised traffic within the Linux Networking forums, part of the Linux Forums category; One of the Windows 2000 boxs is sending data out of the network to some host on the internet. My ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page How do I snoop unauthorised traffic

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-11-2006
Peter Lowrie
 
Posts: n/a
Default How do I snoop unauthorised traffic
One of the Windows 2000 boxs is sending data out of the network to some host
on the internet. My gateway is Mandrake Linux 8.2 running straight
iptables. I've tried tcpdump against the internet facing NIC but the data
are inconclusive.

How do I determine what traffic is leaving the network and determine what
host it is being sent to, then what string do I use in
the /etc/sysconfig/iptables file to block it?

Thanks
Peter
Reply With Quote
  #2 (permalink)  
Old 09-11-2006
Moe Trin
 
Posts: n/a
Default Re: How do I snoop unauthorised traffic
On Tue, 12 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <1462842.YJ72qOBedK@xbox.pelnet.net>, Peter Lowrie wrote:

>One of the Windows 2000 boxs is sending data out of the network to some host
>on the internet.

1. Disconnect the windoze box
2. Ask the luser running it WTF they are doing.

>My gateway is Mandrake Linux 8.2

That's over four years old. Why are you running such an ancient UNSUPPORTED
release on the Internet? OK - saw your other post - you shouldn't have a
problem booting with anything current. What happens when you try? Does the
computer catch on fire or something? The packet errors you are reporting
suggest a problem with the NIC - possibly an interrupt being blocked by
some other process. As for the "slow" port 110, use tcpdump to see what
traffic is occurring. Is the POP server trying to Ident you (trying a
connect to your port 113)?

>running straight iptables.

OK, but the rules don't make much sense to me.

>I've tried tcpdump against the internet facing NIC but the data
>are inconclusive.

What is that supposed to mean? Is the stuff encrypted (like SSH traffic)?
Or is it that you merely don't understand IP and TCP headers?

>How do I determine what traffic is leaving the network

Disconnect the stupid windoze box, and ask the luser to explain. If they
can't, talk to your legal types, and remove the luser. Then make a copy
of the hard disk, and take the copy to a windoze expert.

>and determine what host it is being sent to

What is the source/destination IP address? If you are masquerading, run
tcpdump on the inside NIC, rather than the Internet side. You'd also want
to record what port numbers are being used on the source and destination
sides.

>then what string do I use in the /etc/sysconfig/iptables file to block it?

708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

but the better solution is to find out what is running on the windoze box
and fix that.

Old guy
Reply With Quote
  #3 (permalink)  
Old 09-12-2006
Tauno Voipio
 
Posts: n/a
Default Re: How do I snoop unauthorised traffic
Peter Lowrie wrote:
> One of the Windows 2000 boxs is sending data out of the network to some host
> on the internet. My gateway is Mandrake Linux 8.2 running straight
> iptables. I've tried tcpdump against the internet facing NIC but the data
> are inconclusive.
>
> How do I determine what traffic is leaving the network and determine what
> host it is being sent to, then what string do I use in
> the /etc/sysconfig/iptables file to block it?

Windows is pretty talkative out-of-the-box. You probably want
to disable the ports 135 to 193 and 445 for both TCP and UDP.

--

Tauno Voipio
tauno voipio (at) iki fi
Reply With Quote
  #4 (permalink)  
Old 09-13-2006
Llanzlan Klazmon
 
Posts: n/a
Default Re: How do I snoop unauthorised traffic
Peter Lowrie <peterlowrie@paradise.net.nz> wrote in
news:1462842.YJ72qOBedK@xbox.pelnet.net:

> One of the Windows 2000 boxs is sending data out of the network to some
> host on the internet. My gateway is Mandrake Linux 8.2 running straight
> iptables.

As others said. That's a pretty old version.

> I've tried tcpdump against the internet facing NIC but the
> data are inconclusive.

Why? tcpdump can capture everything there is to see. Of course if the data
is encrypted then it wont tell you much other than the source/dest ip and
port no's.

>
> How do I determine what traffic is leaving the network and determine
> what host it is being sent to,

tcpdump can certainly capture that. If you have difficulty with the output
from tcpdump I suggest you save the data to a file using the -w option.
Then inspect the file using a graphical program like ethereal which can
read tcpdump output files fine.

> then what string do I use in
> the /etc/sysconfig/iptables file to block it?

In the forward chain, add a rule that drops or rejects the packets you
don't like.

Klazmon.




>
> Thanks
> Peter

Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:05 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0